Online shopping has spiked in the last 5 years, crossing the trillion dollar threshold in 2012. Embracing the consumer preference for internet shopping, many new businesses are only available through the web. Yet a surprisingly low number of new merchants are taking measures to protect themselves from internet fraud. While many online business owners are convinced that any fraud activity on a card is largely the domain of banks and credit card issuers, internet retailers are simply unaware that in the world of ‘card not present’ (internet purchases), they are liable for bad purchases run through their stores.
For many people, the word ‘fraud’ can seem complex and overwhelming. ‘What is fraud?’ ‘How does fraud work?’ These are common questions that are actually very simple to answer. If an individual had cash stolen from their wallet, and that cash was then used in a purchase by the thief, that crime would be described as theft. The money doesn’t belong to the thief, it belongs to our victim. In fraud, this crime works exactly the same way. Only this time the thief takes the credit/debit card instead of the cash. The law states that only legal cardholders can use cards issued to them. When a thief steals a card and uses it, the thief is pretending to be that legal cardholder and racks up charges in their name. Every charge the thief makes with the stolen credit card is considered a fraudulent (bad) transaction.
If all merchants had to worry about was physical credit cards being stolen, then this wouldn’t be much of an issue. But with data breaches becoming increasing common, the financial information of tens of millions of consumers are now in the hands of cyber cartels looking to use their newly acquired information as quickly as possible. With the ability to purchase almost anything online, criminal are increasingly using their stolen data for online purchases instead of placing the stolen information on fraudulent cards to make “card present” transactions in retail stores.
With all of this fraudulent information floating around in cyberspace, it can be difficult to know what the best course of action is. Accepting credit cards is a sure fire way to expose a business to theft, but clamping down on card transactions will place a financial chokehold on a business that most likely would be fatal.
The key for businesses is to understand what they are liable for. When a business decides to accept payment from a card issuer or bank, they are accepting the terms and conditions passed down by them. What that entails is also accepting the established industry standards that are almost entirely uniform in the industry. Card issuers and banks have no ability to track if a card (or card data) has been obtained by unauthorized persons. The only way to know that an issue has arisen is when the card/card data is used in a purchase. Because a merchant has the greatest ability to stop a criminal in their tracks, card issues and banks place the financial liability on merchants for any fraudulent orders that they process.
To dig deeper into the issue, merchants need to understand the technical lingo that is written into merchant contracts. Many merchants take the assumption that if a transaction is authorized then it is a legitimate transaction. That is not the case. When a card processor runs a card and authorizes, it is simply verifying that the funds are available, the card is not reported as stolen or declined and the consumer’s credit limit has not been hit. An authorization is not running a report as to likelihood of the card being stolen or not, or if it is a risky transaction or good order. Once a merchants accepts funds, the liability now fully rests on them.
Ecommerce fraud is exploding for multiple reasons, but one simple yet major reason that it is exploding so fast is that many individuals simply do not check their credit card statements every day. While there are always going to be that subset of vigilant consumers who set mobile alerts for any purchases and check their cards daily, many consumers wait for their statement to be released before they look over their purchases. By then many weeks or months could have passed before they recognize the unauthorized transactions used on their cards.
Banks and card issuers do their best to look for irregular card activity by calling their customers to verify transactions they might have made. If someone goes on a road trip and suddenly makes multiple purchases in another state, a card is frequently frozen and the cardholder is typically contacted to verify if they did indeed make those purchases. But card issuers can only look for irregularities in a card holders account, and pending any drastic activity changes are powerless to know if a card is being used in a legal or illegal manner.
All merchants are accountable for and suffer chargebacks
To help account for this, and also to help deal with bad businesses, most card issuers offer card holders a 3 to 6 month chargeback grace period. For those not in the know, chargebacks are every merchant’s worst nightmare. Chargebacks occur when a cardholder contacts the card issuer to request a refund from a merchant. This would occur because the customer would somehow be unable to obtain a refund from the merchant or that the merchant is refusing to offer a refund to the customer. To read more about chargebacks and how to stop them read our series on chargebacks. Once a chargeback is initiated by the cardholder, the card issuer will deduct the funds from the merchants account and debit it to the card holders account.
The merchant can fight this process by providing evidence to the card issuer that the customer did in fact make a purchase, received the product intact, and is in the wrong. But in the case of a fraudulent purchase that causes the real card holder to initiate a chargeback against the merchant, ignorance of the card’s misuse by the merchant won’t stop the funds from being forcibly deducted. Many card issuers will hold a portion of the funds generated by sales through their cards in a reserve account that is held explicitly for the purpose of reimbursing card holders from bad transactions. The card issuers themselves cannot risk the liability that their merchants could run up thousands of bad orders and then not be able to pay the cardholders back. This reserve account is created because the credit card companies and banks only have a limited amount of money available to repay their customers at any given time from their own accounts. So by establishing a safety net between themselves and the merchant, they help prevent a shock withdrawal from the merchants account in the case of a large chargeback while guaranteeing that the card issuer can repay the card holder instantly.
To add insult to injury, merchants who have multiple chargebacks against them risk ever compounding fee’s as well as being placed on a chargeback fraud detection monitoring program. If merchants are unable to bring the chargeback rate down, they risk be deny listed by the card issuer either temporarily or permanently, which can drastically cut revenues for that business.
So what is a retailer to do?
No matter what the purchase, or the volume of transactions that merchant may be accepting at any given month, all transactions paid for by credit card need to be vetted.
But verifying transactions can be difficult as tying an online identity to an offline real person can take a significant amount of research. But there are common steps that all merchants can take that will significantly reduce the probability that they will process a fraudulent order or accept business from someone who serially conducts chargebacks.
1. Always, always, always collect and examine CVV2 and AVS and examine them closely
CVV2 is the 3 digit code on the back of a credit card that is separate from the 16 digit number sequence on the front. The code is a secondary backup to ensure that the card is actually in the hands of the cardholder and is never stored on file in a transaction history unlike a credit card number.
AVS stands for Address Verification System. When entering in a billing address, all merchants need to ensure that the billing address entered into the checkout matches that of the address tied to the card. If a customer repeatedly fails AVS, that is a staggering red flag. There is no reason that a real customer would be unable to identify what the billing address is for the card unless the card was being used illegally.
2. Ensuring that billing and shipping match are critical.
Billing and shipping always go together, and if they don’t it is normally an issue. Merchants always need to carefully examine why a customer would not ship to their billing address. Are they shipping to family? Are they shipping to friends? What connection does the purchaser have to the recipient? Many merchants will cancel orders that have a billing/shipping mismatch, while others have a large amount of research that goes into verifying if the customer is the true card holder. In an instance of a billing/shipping mismatch, a merchant always wants to ensure that during the checkout the customer didn’t fail the AVS or CVV2. Additionally, it is recommended to merchants that they call the customer to verify the recipient of the delivery.
3. Always get a signature for delivery
When purchasing online, often times the simplest fraud ideas are the most effective. And nothing is simpler than claiming that you never received your package. For any kind of high value order, ensure that the customer who made the purchase is the one who signs for delivery. By getting a signature, you ensure that the customer can’t later force a chargeback against you and you ensure that fraud isn’t later claimed. A major source of fraud for merchants is reshipping fraud, where a fraudster will purchase a product on the web and have it shipped to a middleman who then mails the product to him. Requiring a signature from the cardholder stops reshipping fraud in its tracks as a fraudster would have no ability to get the real cardholders signature nor would any middleman be able to accurately forge a signature.
4. Always check IP
Internet Protocol, the location of the computer the customer is using, is normally a dead giveaway to the truthfulness of the transaction. Is your customers billing and shipping in Indiana, but the IP is from Egypt? Well, that’s probably a fraudulent transaction. While the IP address can fluctuate a few miles from the address of the customer, it should never be in excess of 50 miles. Any IP address that is far from the address of the customer indicates either three things. 1. The customer is away on business. 2. The customer is on vacation. 3. This is a bad transaction. Many fraudsters attempt to mask their IP location by going through regional proxy servers, but these are easily detected and are simply another indicator of an online criminal.
5. A customer with a bad user name or email is almost always a bad customer
According to surveys over the last couple of years, the vast majority of customers will reuse the same username for most websites, and only maintain 2-3 email addresses at any given time. What this means for merchants is that if you encounter an email that doesn’t contain the name of the customer, red flags should immediately be raised. If an individual consequently gives you a user name that is full of strange characters or numbers that is normally an indication that this customer doesn’t intend to be a returning purchaser. Many merchants require that a customer verify their profile by clicking on a link sent to the customers email address to verify if this indeed is a human and not a bot. If the email address entered in the creation of the profile is different than the email address stored on file by the card holder that additionally is an indicator that something suspicious is going on in the order.
6. Be on the lookout for multiple purchase attempts, and protect your store against attacks
Fraudsters rarely have a complete data set on the individual of whom they are impersonating when making purchases online. They may be able to fill in the card number, name and address but fail the CVV2. They might have stolen the wrong email address, or they could be trying to make a purchase from the other side of the globe. If there are instances of multiple attempts, with repeated failures in a critical field a merchant will want to permanently decline that customer and every data point associated with the transactions.
7. Check the shipping address
If your customer is shipping to a Fedex store, or to a park P.O. box, that might be a red flag that they are trying to hide their location. If the location is a known drop ship address, or has a history of fraud associated with it, why take the risk of shipping to that address?. Using address verificaction services such as Whitepages.com to run the address is a crucial step in every transaction to ensure that a customer who claims the address is their own is not in fact using an illegitimate address to avoid detection while running bad transactions.
Fraud prevention takes time!
Criminals are drawn to online companies like gravity, the larger the business the stronger the pull. Online fraud prevention solutions are difficult, time consuming process that only grows more and more important as a company increases its sales. With liability solely on the internet retailers, Signifyd finds that the vast majority of merchants take a cautious approach and tend to decline any suspicious orders as well as declining most international orders. Without having a data verification service to tell merchants if a customer is using a proxy to mask his IP or to verify his address, merchants can be at a loss to confidently decline or accept an order.
Signifyd provides the tools merchants need to quickly verify their orders.
Looking up 5 orders a day might not be an issue for company, but if your company finds itself suddenly needing to review 75, 100, 200+ orders a day it can quickly become an overwhelming and all day long task. And without a uniform way of doing each search a company can find it is simply approving or declining orders ” based on their gut”. Signifyd provides companies a way to quickly ensure that they don’t rack up huge losses by accepting payment from multiple stolen credit cards or get hit by numerous chargebacks. Signifyd runs reverse IP lookups to detect proxies, verifies a customers address, checks bin to verify the cards origin, looks through social media to double check a customer’s true identity, and gives merchants a customer’s shopping history to highlight any possible fraud or chargebacks that can be associated with them. Signifyd scores transactions at an average of 200 milliseconds and works with merchants from the largest on the web to merchants who have just set up shop. If you run a business and are concerned about chargebacks and fraud and want to learn more please reach out to us at firstname.lastname@example.org to learn more!